SCG News

The Bumpy Relationship of Developers and Cryptography

Mohammadreza Hazhirpasand. The Bumpy Relationship of Developers and Cryptography. PhD thesis, University of Bern, May 2022. Details.


As the cornerstone of the internet, cryptography is becoming increasingly important in software development. Nevertheless, the way this cornerstone is laid is so critical that a mistake can result in grave reputational and financial loss. Given the rapid growth of applications for various platforms and devices, developers with varying levels of expertise are more likely to make catastrophic mistakes in employing cryptography. The imminent threat of misusing cryptography prompted us to investigate what factors impede developer performance. Having explored how cryptography is used in open-source as well as enterprise projects, we realized that crypto API misuses do occur in both areas. To understand the primary causes, we investigated the prevalence of crypto API misuse from two major aspects, i.e., the API and developer perspectives, and presented feasible remedies. From the API perspective, we conducted three studies on Stack Overflow: (1) a large-scale analysis of 91 954 crypto-related questions, (2) an analysis of 500 questions with regards to 20 crypto libraries, and (3) a close scrutiny of Java crypto APIs. We realized that there is a distinct lack of knowledge among askers in fundamental concepts, such as certificates, asymmetric and password hashing, and that the complexity of crypto libraries weakened developer performance to correctly implement a crypto scenario. More specifically, libraries are not yet designed so as to help avoid inadvertent misuse, aside from their problematic installation and usage. The API-level analysis showed that APIs require myriad options and leave developers inundated with many alternatives to choose from. Furthermore, the code snippets, as well as solutions on Stack Overflow, contain security violations, resulting in a massive ripple effect as others may end up with untrustworthy sources and examples. From the developer perspective, we conducted four studies: (1) an analysis of developer performance in using crypto APIs, (2) gathering open-source maintainers’ feedback for their crypto misuses, (3) a survey with 97 developers who used crypto APIs in open-source projects, and (4) an analysis of crypto experts’ activity on Stack Overflow and GitHub. We found out that four factors of developer experience, e.g., developer involvement in multiple projects, did not improve developer performance over time. Developer feedback on GitHub revealed that security hints in API documentation are scarce, that some misuses stem from third-party libraries, and that code context affects the way crypto APIs are used. While being concerned about security, developers often fail to incorporate security standards into their developments, e.g., low rate of adoption of security tools or security-concerned questions on Stack Overflow. They also have a low tendency towards consulting educational sources particularly tailored for cryptography and are more inclined to turn to untrustworthy sources, e.g., Stack Overflow. The findings showed that crypto experts’ practices on GitHub accord with the crypto topics and programming languages they feel confident to contribute on Stack Overflow. As for plausible remedies for alleviating crypto API misuses, we contacted the top 1% of crypto experts to collect their views regarding root causes and solutions. Crypto experts mentioned that the root causes for the challenging areas can be classified into three major categories: learning resources, crypto APIs, and human-related. They also suggested a number of solutions, such as employing misuse-resistant libraries and improving one’s knowledge by consulting dependable online sources, e.g., Coursera. We also introduced a tool, i.e., CryptoExplorer, to assist developers by delivering real-world examples. A preliminary study of CryptoExplorer showed that the tool helps developers explore secure crypto examples and learn how to correctly use crypto APIs by comparing examples of correct uses and misuses. We conclude that existing approaches may arguably have a limited impact, cannot be practical on a large scale, and can only target a specific audience. We believe that there are two promising methods to cope with this issue successfully: (1) developing misuse-resistant crypto APIs to render unintentional API misuse exceedingly improbable, (2) producing high-quality, easy-to-understand, and entertaining online tutorials to broaden developer knowledge in this domain.

Posted by scg at 11 May 2022, 1:15 pm comment link

The Dilemma of Security Smells and How to Escape It

Pascal Gadient. The Dilemma of Security Smells and How to Escape It. PhD thesis, University of Bern, May 2022. Details.


A single mobile app can now be more complex than entire operating systems ten years ago, thus security becomes a major concern for mobile apps. Unfortunately, previous studies focused rather on particular aspects of mobile application security and did not provide a holistic overview of security issues. Therefore, they could not accurately understand the fundamental flaws to propose effective solutions to common security problems. In order to understand these fundamental flaws, we followed a hybrid strategy, i.e., we collected reported issues from existing work, and we actively identified security-related code patterns that violate best practices in software development. We further introduced the term “security smell, i.e., a security issue that could potentially lead to a vulnerability. As a result, we were able to establish comprehensive security smell catalogues for Android apps and related components, i.e., inter-component communication, web communication, app servers, and HTTP clients. Furthermore, we could identify a dilemma of security smells, because most security smells require unique fixes that increase the code complexity, which in return increases the risk of introducing more security smells. With this knowledge, we investigate the interaction of our security smells with the 192 Mitre CAPEC attack mechanism categories of which the majority could be mitigated with just a few additional security measures. These measures, a String class with behavior and the more thorough use of secure default values and paradigms, would simplify the application logic and at the same time largely increase security if implemented appropriately. We conclude that application security has to focus on the String class, which has not largely changed over the last years, and secure default values and paradigms since they are the smallest common denominator for a strong foundation to build resilient applications. Moreover, we provide an initial implementation for a String class with behavior, however the further exploration remains future work. Finally, the term “security smell is now widely used in academia and eases the communication among security researchers.

Posted by scg at 10 May 2022, 8:53 pm comment link

Cryptography Vulnerabilities on HackerOne

Mohammadreza Hazhirpasand and Mohammad Ghafari. Cryptography Vulnerabilities on HackerOne. In 21st IEEE International Conference on Software Quality, Reliability, and Security (QRS), p. 18-27, December 2021. Details.


Previous studies have shown that cryptography is hard for developers to use and misusing cryptography leads to severe security vulnerabilities. We studied relevant vulnerability reports on the HackerOne bug bounty platform to understand what types of cryptography vulnerabilities exist in the wild. We extracted eight themes of vulnerabilities from the vulnerability reports and discussed their real-world implications and mitigation strategies. We hope that our findings alert developers, familiarize them with the dire consequences of cryptography misuses, and support them in avoiding such mistakes.

Posted by scg at 25 April 2022, 9:15 am comment link

FuzzingDriver: the Missing Dictionary to Increase Code Coverage in Fuzzers

Arash Ale Ebrahim, Mohammadreza Hazhirpasand, Oscar Nierstrasz, and Mohammad Ghafari. FuzzingDriver: the Missing Dictionary to Increase Code Coverage in Fuzzers. In 29th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), March 2022. Details.


We propose a tool, called FuzzingDriver, to generate dictionary tokens for coverage-based greybox fuzzers (CGF) from the codebase of any target program. FuzzingDriver does not add any overhead to the fuzzing job as it is run beforehand. We compared FuzzingDriver to Google dictionaries by fuzzing six open-source targets, and we found that FuzzingDriver consistently achieves higher code coverage in all tests. We also executed eight benchmarks on FuzzBench to demonstrate how utilizing FuzzingDriver’s dictionaries can outperform six widely-used CGF fuzzers. In future work, investigating the impact of FuzzingDriver’s dictionaries on improving bug coverage might prove important.

Posted by scg at 1 April 2022, 9:15 am comment link

Increasing stakeholder engagement with object cards

Artthik Sellathurai. Increasing stakeholder engagement with object cards. Bachelor’s thesis, University of Bern, March 2022. Details.


There exist several tools that enable domain experts to model a problem domain graphically. In this thesis, we investigated a selection of state-of-the-art graphical modeling tools to study their characteristics and to uncover their shortcomings regarding their support to engage multiple stakeholders. We observed that the existing graphical modeling solutions: (1) allow users to graphically specify domain entities and relationships between them, and (2) facilitate automatic code generation from the visual specifications. We observed limited support in selecting domain- specific graphical notations, and the code generation facilities offered by the existing tools are uni-directional only, i.e., from specification to code. Furthermore, we observed that the existing tools might be hard to master for non-technical stakeholders, as these tools require the user to have in-depth knowledge about the offered functionality. To tackle these limitations, we propose an approach to iteratively create domain models inside an integrated development environment (IDE). With our approach, non-technical stakeholders can graphically create actors of any domain as first-class citizens and iteratively give them behavior. Developers create custom graphical notations suitable for non-technical stakeholders. We demonstrate a prototype implementation that demonstrates our approach in the Glamorous Toolkit IDE with a case study.

Posted by scg at 31 March 2022, 10:15 am comment link
<< 1 2 3 4 5 6 7 8 9 10 >>
Last changed by admin on 21 April 2009