Creating and maintaining an up-to-date set of security rules that match misuses of crypto APIs is challenging, as crypto APIs constantly evolve over time with new cryptographic primitives and settings, making existing ones obsolete.
To address this challenge, we present a new approach to extract security fixes from thousands of code changes. Our approach consists of: (i) identifying code changes, which often capture security fixes, (ii) an abstraction that filters irrelevant code changes (such as refactorings), and (iii) a clustering analysis that reveals commonalities between semantic code changes and helps in eliciting security rules.
We applied our approach to the Java Crypto API and showed that it is effective: (i) our abstraction effectively filters non-semantic code changes (over 99% of all changes) without removing security fixes, and (ii) over 80% of the code changes are security fixes identifying security rules. Based on our results, we identified 13 rules, including new ones not supported by existing security checkers.
Conference DayThu 21 JunDisplayed time zone: Eastern Time (US & Canada) change
14:00 - 15:40 | Synthesis and LearningPLDI Research Papers at Grand Ballroom CD Chair(s): Xin ZhangMassachusetts Institute of Technology, USA | ||
14:00 25mTalk | A General Path-Based Representation for Predicting Program Properties PLDI Research Papers Uri AlonTechnion, Meital ZilbersteinTechnion, Omer LevyUniversity of Washington, USA, Eran YahavTechnion Media Attached | ||
14:25 25mTalk | Program Synthesis using Conflict-Driven Learning PLDI Research Papers Yu FengUniversity of Texas at Austin, USA, Ruben MartinsCarnegie Mellon University, Osbert BastaniStanford University, Isil DilligUT Austin Media Attached | ||
14:50 25mTalk | Accelerating Search-Based Program Synthesis using Learned Probabilistic Models PLDI Research Papers Woosuk LeeUniversity of Pennsylvania, USA, Kihong HeoUniversity of Pennsylvania, USA, Rajeev AlurUniversity of Pennsylvania, Mayur NaikUniversity of Pennsylvania Media Attached | ||
15:15 25mTalk | Inferring Crypto API Rules from Code Changes PLDI Research Papers Media Attached | ||