The Java libraries JCA and JSSE offer cryptographic APIs to facilitate secure coding. When developers misuse some of the APIs, their code becomes vulnerable to cyber-attacks. To eliminate such vulnerabilities, people built tools to detect security-API misuses via pattern matching. However, most tools do not (1) fix misuses or (2) allow users to extend tools' pattern sets. To overcome both limitations, we created Seader-an example-based approach to detect and repair security-API misuses. Given an exemplar <insecure, secure>code pair, Seader compares the snippets to infer any API-misuse template and corresponding fixing edit. Based on the inferred info, given a program, Seader performs inter-procedural static analysis to search for security-API misuses and to propose customized fixes. For evaluation, we applied Seader to 28 <insecure, secure> codepairs; Seader successfully inferred 21 unique API-misuse templates and related fixes. With these <vulnerability, fix> patterns, we applied SEADER to a program benchmark that has 86 known vulnerabilities. Seader detected vulnerabilities with 95% precision, 72% recall, and82% F-score. We also applied Seader to 100 open-source projects and manually checked 77 suggested repairs; 76 of the repairs were correct. Seader can help developers correctly use security APIs.
翻译:爪哇图书馆 JCA 和 JSSE 提供密码式API, 以便利安全编码。 当开发者滥用部分API时, 他们的代码很容易受到网络攻击。 为了消除这些脆弱性, 人们建立了通过模式匹配检测安全- API滥用的工具。 但是, 大多数工具都没有(1) 解决滥用问题或(2) 允许用户扩展工具模式。 为了克服这两个限制, 我们创建了Seader- a例式方法, 以探测和修理安全- API误用。 鉴于一个示例 < 不安全, 安全 > 代码配对, Seader 比较了源代码, 以推导出任何 API 错误模板和相应的修正编辑。 根据推断的信息, Seader 进行跨程序静态分析, 以寻找安全- API 误用, 或(2) 允许用户扩展工具模式。 为了克服这两个限制, 我们使用Seader 的28 < 不安全, 安全 - 安全 - 安全 - 代码; Seader 成功推断了21个独特的API - 错误 模板和相关修正。 这些 < vellity > 模板模式, 我们应用了SDERDERDER A - 75 安全 - brea 安全 - bregildlegy