Automated Rule Inference for Cryptographic APIs through Source Code Repositories
Wed 7 Nov 2018 19:57 - 19:59 at Georgian - Poster & SRC
Cryptographic misuses are widespread and cause severe security issues in several software applications. Current static analyses to detect these misuses rely on a defined set of rules to detect misuses. For the corresponding rule set, the static analyses performs well. One limitation of the rule sets is that they are created manually with an error-prone, tedious and time-consuming process. With ARC, we plan to automatically create cryptographic rules. We plan to identify to which extent we can use source code repositories to learn rules based on code changes and available metadata, e.g., commit messages and authors. Further, we aim to create a dataset which is a reliable source for learning. We will further evaluate whether additional sources besides source code are required. We plan to use the dataset as an input for an API-Misuse detector. This API-Misuse detector should use a machine learning algorithm to identify incorrect usages. In the end, we plan to evaluate whether our approach is transferable to other languages and APIs.