Authors:
(1) Simon Kafader, University of Bern, Bern, Switzerland ([email protected]);
(2) Mohammad Ghafari, University of Auckland, Auckland, New Zealand ([email protected]).
We developed FluentCrypto to relieve mainstream developers from dealing with low-level cryptography complexities. It is built on top of the standard Node.js API and provides a task-based solution i.e., developers only state “what” they need rather than being concerned about “how” to implement a cryptography task. We also developed a domain-specific language, called CryRule, that crypto experts can use to specify constraints on crypto objects. FluentCrypto relies on these constraints to determine a secure configuration of the API. Through an initial study, we found that FluentCrypto greatly helps developers to deliver secure solutions in a shorter time. It prevents common errors by novice developers, but at the same time it still allows experienced developers to access advanced settings.
This work is the first step toward supporting mainstream developers with a crypto API that is secure by design, and further studies are essential to claim any generalization. We plan to conduct an extensive experiment with more subjects when COVID-19 restrictions relax and developers come back to their work offices. Particularly, we are interested to assess the usability of FluentCrypto in depth as well as its runtime overhead. In terms of extending FluentCrypto, we will investigate whether its current design would support other cryptography tasks as well. Besides, in this work we relied on a dynamic approach to enforce crypto constraints mainly due to the use of JavaScript, but it is worthwhile to investigate the possibility of adopting statical techniques to provide developers with JIT feedback especially in other settings.
[1] T. IBM and the Ponemon Institute, “Cost of a data breach report,” Tech. Rep., 2020.
[2] N. Patnaik, J. Hallett, and A. Rashid, “Usability smells: An analysis of developers’ struggle with crypto libraries,” in Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). Santa Clara, CA: USENIX Association, Aug. 2019. [Online]. Available: https://www.usenix.org/conference/soups2019/presentation/patnaik
[3] M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz, “The impact of developer experience in using Java cryptography,” in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 2019, pp. 1–6.
[4] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Java cryptography uses in the wild,” in Proceedings of the 14th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), ser. ESEM ’20. New York, NY, USA: Association for Computing Machinery, 2020. [Online]. Available: https://doi.org/10.1145/3382494.3422166
[5] T. Zhang, G. Upadhyaya, A. Reinhardt, H. Rajan, and M. Kim, “Are code examples on an online q&a forum reliable?: a study of api misuse on stack overflow,” in 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). IEEE, 2018, pp. 886–896.
[6] M. Ghafari, P. Gadient, and O. Nierstrasz, “Security smells in android,” in 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2017, pp. 121–130.
[7] P. Gadient, M. Ghafari, P. Frischknecht, and O. Nierstrasz, “Security code smells in android icc,” Empirical Software Engineering, vol. 24, 2019.
[8] S. Krüger, S. Nadi, M. Reif, K. Ali, M. Mezini, E. Bodden, F. Göpfert, F. Günther, C. Weinert, D. Demmler et al., “Cognicrypt: supporting developers in using cryptography,” in 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 2017, pp. 931–936.
[9] S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. D. Yao, “Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’19. New York, NY, USA: Association for Computing Machinery, 2019, p. 2455–2472. [Online]. Available: https://doi.org/10.1145/3319535.3345659
[10] Y. Tymchuk, M. Ghafari, and O. Nierstrasz, “Jit feedback - what experienced developers like about static analysis,” in 2018 IEEE/ACM 26th International Conference on Program Comprehension (ICPC), 2018, pp. 64–6409.
[11] J. Smith, L. N. Q. Do, and E. Murphy-Hill, “Why can’t johnny fix vulnerabilities: A usability evaluation of static analysis tools for security,” in Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association, Aug. 2020, pp. 221– 238. [Online]. Available: https://www.usenix.org/conference/soups2020/ presentation/smith
[12] C. Corrodi, T. Spring, M. Ghafari, and O. Nierstrasz, “Idea: Benchmarking android data leak detection tools,” in Engineering Secure Software and Systems, M. Payer, A. Rashid, and J. M. Such, Eds. Cham: Springer International Publishing, 2018, pp. 116–123.
[13] V.-P. Ranganath and J. Mitra, “Are free android app security analysis tools effective in detecting known vulnerabilities?” Empirical Software Engineering, vol. 25, 2020.
[14] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Cryptoexplorer: An interactive web platform supporting secure use of cryptography APIs,” arXiv preprint arXiv:2001.00773, 2020.
[15] S. Nadi, S. Krüger, M. Mezini, and E. Bodden, “Jumping through hoops: Why do Java developers struggle with cryptography APIs?” in Proceedings of the 38th International Conference on Software Engineering, 2016, pp. 935–946.
[16] M. Green and M. Smith, “Developers are not the enemy!: The need for usable security APIs,” IEEE Security & Privacy, vol. 14, no. 5, pp. 40–46, 2016.
[17] S. Das, V. Gopal, K. King, and A. Venkatraman, “IV= 0 security: Cryptographic misuse of libraries,” Massachusetts Institute of Technology, Final Rep, vol. 6, 2014.
[18] S. Krüger, K. Ali, and E. Bodden, “CognicryptGEN : Generating code for the secure usage of crypto apis,” in Proceedings of the 18th ACM/IEEE International Symposium on Code Generation and Optimization, ser. CGO 2020. New York, NY, USA: Association for Computing Machinery, 2020, p. 185–198. [Online]. Available: https://doi.org/10.1145/3368826.3377905
[19] D. C. Nguyen, D. Wermke, Y. Acar, M. Backes, C. Weir, and S. Fahl, “A stitch in time: Supporting android developers in writingsecure code,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’17. New York, NY, USA: Association for Computing Machinery, 2017, p. 1065–1077. [Online]. Available: https://doi.org/10.1145/3133956.3133977
[20] L. Singleton, R. Zhao, M. Song, and H. Siy, “Cryptotutor: Teaching secure coding practices through misuse pattern detection,” in Proceedings of the 21st Annual Conference on Information Technology Education, ser. SIGITE ’20. New York, NY, USA: Association for Computing Machinery, 2020, p. 403–408. [Online]. Available: https://doi.org/10.1145/3368308.3415419
[21] L. Piccolboni, G. Di Guglielmo, L. P. Carloni, and S. Sethumadhavan, “Crylogger: Detecting crypto misuses dynamically,” in IEEE Symposium on Security & Privacy (SP) 2021, 2021.
[22] P. L. Gorski, Y. Acar, L. Lo Iacono, and S. Fahl, “Listen to developers! a participatory design study on security warnings for cryptographic apis,” in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, ser. CHI ’20. New York, NY, USA: Association for Computing Machinery, 2020, p. 1–13. [Online]. Available: https://doi.org/10.1145/3313831.3376142
[23] M. Fowler. (2005) Fluentinterface. [Online]. Available: https://www. martinfowler.com/bliki/FluentInterface.html