The Bumpy Relationship of Developers and Cryptography

Mohammadreza Hazhirpasand. The Bumpy Relationship of Developers and Cryptography. PhD thesis, University of Bern, May 2022. Details.

Abstract

As the cornerstone of the internet, cryptography is becoming increasingly important in software development. Nevertheless, the way this cornerstone is laid is so critical that a mistake can result in grave reputational and financial loss. Given the rapid growth of applications for various platforms and devices, developers with varying levels of expertise are more likely to make catastrophic mistakes in employing cryptography. The imminent threat of misusing cryptography prompted us to investigate what factors impede developer performance. Having explored how cryptography is used in open-source as well as enterprise projects, we realized that crypto API misuses do occur in both areas. To understand the primary causes, we investigated the prevalence of crypto API misuse from two major aspects, i.e., the API and developer perspectives, and presented feasible remedies. From the API perspective, we conducted three studies on Stack Overflow: (1) a large-scale analysis of 91 954 crypto-related questions, (2) an analysis of 500 questions with regards to 20 crypto libraries, and (3) a close scrutiny of Java crypto APIs. We realized that there is a distinct lack of knowledge among askers in fundamental concepts, such as certificates, asymmetric and password hashing, and that the complexity of crypto libraries weakened developer performance to correctly implement a crypto scenario. More specifically, libraries are not yet designed so as to help avoid inadvertent misuse, aside from their problematic installation and usage. The API-level analysis showed that APIs require myriad options and leave developers inundated with many alternatives to choose from. Furthermore, the code snippets, as well as solutions on Stack Overflow, contain security violations, resulting in a massive ripple effect as others may end up with untrustworthy sources and examples. From the developer perspective, we conducted four studies: (1) an analysis of developer performance in using crypto APIs, (2) gathering open-source maintainers’ feedback for their crypto misuses, (3) a survey with 97 developers who used crypto APIs in open-source projects, and (4) an analysis of crypto experts’ activity on Stack Overflow and GitHub. We found out that four factors of developer experience, e.g., developer involvement in multiple projects, did not improve developer performance over time. Developer feedback on GitHub revealed that security hints in API documentation are scarce, that some misuses stem from third-party libraries, and that code context affects the way crypto APIs are used. While being concerned about security, developers often fail to incorporate security standards into their developments, e.g., low rate of adoption of security tools or security-concerned questions on Stack Overflow. They also have a low tendency towards consulting educational sources particularly tailored for cryptography and are more inclined to turn to untrustworthy sources, e.g., Stack Overflow. The findings showed that crypto experts’ practices on GitHub accord with the crypto topics and programming languages they feel confident to contribute on Stack Overflow. As for plausible remedies for alleviating crypto API misuses, we contacted the top 1% of crypto experts to collect their views regarding root causes and solutions. Crypto experts mentioned that the root causes for the challenging areas can be classified into three major categories: learning resources, crypto APIs, and human-related. They also suggested a number of solutions, such as employing misuse-resistant libraries and improving one’s knowledge by consulting dependable online sources, e.g., Coursera. We also introduced a tool, i.e., CryptoExplorer, to assist developers by delivering real-world examples. A preliminary study of CryptoExplorer showed that the tool helps developers explore secure crypto examples and learn how to correctly use crypto APIs by comparing examples of correct uses and misuses. We conclude that existing approaches may arguably have a limited impact, cannot be practical on a large scale, and can only target a specific audience. We believe that there are two promising methods to cope with this issue successfully: (1) developing misuse-resistant crypto APIs to render unintentional API misuse exceedingly improbable, (2) producing high-quality, easy-to-understand, and entertaining online tutorials to broaden developer knowledge in this domain.

Posted by scg at 11 May 2022, 1:15 pm link
Last changed by admin on 21 April 2009