WU Yongxing,CHEN Libo,JIANG Kaida

DOI: https://doi.org/10.11959/j.issn.2096-109x.2022009

2022-01-01

Abstract:Java deserialization vulnerabilities have become a common threat to Java application security nowadays.Finding out the gadget chain determines whether this type of vulnerability can be exploited.Due to the large code space of Java applications and dependent libraries and the polymorphism of Java itself, manual analysis of Java deserialization gadget chains consumes a lot of time and effort and it is highly dependent on the experienced knowledge.Therefore, it is crucial to study how to efficiently and accurately automate the discovery of gadget chains.Java deserialization gadget chain discovery method based on hybrid analysis was proposed.Call graph based on the variable declaration type was constructed, and then the deserialization entry functions that may reach the dangerous functions were screened using the call graph analysis.The screened entry functions were used as the entry point of the hybrid information flow analysis.The hybrid information flow analysis was carried out for both pointer and tainted variables.The tainted objects created implicitly were marked.The tainted information and the pointer information were propagated simultaneously to construct the hybrid information flow graph.The reachability of external taint data propagation to the dangerous function was judged based on the hybrid information flow graph.The corresponding deserialization gadget chain was constructed according to the taint propagation path.The hybrid analysis took into account the efficiency of call graph analysis and the accuracy of hybrid information flow analysis.The corresponding static analysis tool, namely GadgetSearch, was implemented based on the proposed hybrid analysis method.In the experimental evaluation, GadgetSearch had lower false positive and lower false negative than the existing tool GadgetInspector on four datasets of Ysoserial, Marshalsec, Jackson historical CVE, and XStream historical CVE.Additionally, GadgetSearch also found multiple undisclosed gadget chains.The experimental results show that the proposed method can efficiently and accurately discover the Java deserialization gadget chain in multiple practical Java applications.

Sicong Cao,Xiaobing Sun,Xiaoxue Wu,Lili Bo,Bin Li,Rongxin Wu,Wei Liu,Biao He,Yu Ouyang,Jiajia Li

DOI: https://doi.org/10.48550/arXiv.2303.07593

2023-04-04

Abstract:Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches.

Cryptography and Security,Software Engineering

Bofei Chen,Lei Zhang,Xinyou Huang,Yinzhi Cao,Keke Lian,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1109/sp54263.2024.00150

2024-01-01

Abstract:Java Object Injection (JOI) is a severe type of vulnerability affecting Java deserialization, which allows adversaries to inject a well-crafted, serialized object, thus triggering a series of chained internal methods (called gadgets) and then achieving attack consequences such as Remote Code Execution (RCE). Prior works studied the problem of detecting and chaining gadgets for JOI vulnerability using static search for possible gadget chains and dynamic construction of payload via fuzzing. However, prior works face two following challenges: (i) path explosion in static gadget search and (ii) a lack of fine-grained object relations connected via object fields in dynamic payload construction.In this paper, we design and implement a novel Java deserialization gadget detection framework, called JDD. On one hand, JDD solves the static path explosion problem by a bottom-up approach, which first looks for gadget fragments and then chains gadget fragments from sinks to sources. The approach reduces maximum static search time from exponential to polynomial, i.e., from O(eM n ) to O(M 2 n 3 + enM), where n is the number of dynamic function calls in a gadget chain, M is the average number of dynamic function call candidates, and e is the number of entry points. On the other hand, JDD constructs a so-called Injection Object Construction Diagram (IOCD), which models the dataflow dependencies between injection objects’ fields to facilitate dynamic fuzzing. Our evaluation of JDD upon six real-world Java applications reveals 127 zero-day, exploitable gadget chains with six Common Vulnerabilities and Exposures (CVE) identifiers assigned. We also responsibly reported these vulnerabilities to application developers and obtained their acknowledgments and confirmations.

Sicong Cao,Biao He,Xiaobing Sun,Yu Ouyang,Chao Zhang,Xiaoxue Wu,Ting Su,Lili Bo,Bin Li,Chuanlei Ma,Jiajia Li,Tao Wei

2023-04-09

Abstract:Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to trigger them. However, existing solutions have limited effectiveness and efficiency. In this paper, we propose a novel hybrid solution ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First, ODDFUZZ performs lightweight static taint analysis to identify candidate gadget chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ tries to locate all candidates and avoid false negatives. Then, ODDFUZZ performs directed greybox fuzzing (DGF) to explore those candidates and generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ applies a structure-aware seed generation method to guarantee the validity of the testcases, and adopts a novel hybrid feedback and a step-forward strategy to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and evaluated it on the popular Java deserialization repository ysoserial. Results show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two state-of-the-art baselines only identify three of them. In addition, we evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously unreported exploitable gadget chains with five CVEs assigned.

Cryptography and Security

LI Yulin,CHEN Libo,LIU Yujiang,DU Wenlong,XUE Zhi

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024021

2024-01-01

Abstract:The discovery of deserialization vulnerabilities has garnered significant attention from cybersecurity researchers,with an increasing number of vulnerabilities being uncovered,posing severe threats to enterprise network security.The Java language's polymorphism and reflection capabilities render its deserialization vulnerability exploitation chains more varied and intricate,amplifying the challenges in defense and detection efforts.Consequently,developing strategies to counter Java deserialization vulnerability attacks has become a critical aspect of network security.Following an examination of numerous publicly known Java deserialization vulnerabilities,a runtime detection-based defense technology solution for Java deserialization vulnerabilities was proposed.Deserialization vulnerabilities were categorized into four types based on the data formats involved:Java native deserialization vulnerability,JSON deserialization vulnerability,XML deserialization vulnerability,and YAML deserialization vulnerability.For each type,the entry function within the exploitation process was identified and summarized.Utilizing Java's runtime protection technology,the solution monitored sensitive behaviors,such as command execution at the Java level,and captured the current runtime context information of the system.By correlating the deserialization entry function with the context information,the system can determine if the current behavior constitutes an exploitation of a deserialization vulnerability.The solution's efficacy was validated through testing on prevalent Java applications,including WebLogic,JBoss,and Jenkins.The results demonstrate that this approach can effectively protect against Java deserialization vulnerability attacks without inflicting a substantial performance penalty on the targeted system.Furthermore,when compared to other mainstream protection solutions,this method exhibits superior protective efficacy.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Weicheng Li,Hui Lu,Yanbin Sun,Shen Su,Jing Qiu,Zhihong Tian

DOI: https://doi.org/10.1109/iwqos57198.2023.10188756

2023-01-01

Abstract:Traditional static taint analysis based on bytecode analysis such as GadgetInspector to detect deserialization vulnerabilities always faced precision problems. For example, missing the fact that taints flowing to members in called methods, type confusion, and chaotic inheritance relationships when detecting deserialization vulnerabilities, which would lead to many error results. To alleviate these problems, this paper considers three measures of improving precision of detecting deserialization vulnerabilities, including cross-function members data flow tracking, local variables and arguments types inference, and call chain subject inference based on inheritance relationships.

Mikhail Shcherbakov,Paul Moosbrugger,Musard Balliu

2023-11-07

Abstract:For better or worse, JavaScript is the cornerstone of modern Web. Prototype-based languages like JavaScript are susceptible to prototype pollution vulnerabilities, enabling an attacker to inject arbitrary properties into an object's prototype. The attacker can subsequently capitalize on the injected properties by executing otherwise benign pieces of code, so-called gadgets, that perform security-sensitive operations. The success of an attack largely depends on the presence of gadgets, leading to high-profile exploits such as privilege escalation and arbitrary code execution (ACE). This paper proposes Dasty, the first semi-automated pipeline to help developers identify gadgets in their applications' software supply chain. Dasty targets server-side Node.js applications and relies on an enhancement of dynamic taint analysis which we implement with the dynamic AST-level instrumentation. Moreover, Dasty provides support for visualization of code flows with an IDE, thus facilitating the subsequent manual analysis for building proof-of-concept exploits. To illustrate the danger of gadgets, we use Dasty in a study of the most dependent-upon NPM packages to analyze the presence of gadgets leading to ACE. Dasty identifies 1,269 server-side packages, of which 631 have code flows that may reach dangerous sinks. We manually prioritize and verify the candidate flows to build proof-of-concept exploits for 49 NPM packages, including popular packages such as ejs, nodemailer and workerpool. To investigate how Dasty integrates with existing tools to find end-to-end exploits, we conduct an in-depth analysis of a popular data visualization dashboard to find one high-severity CVE-2023-31415 leading to remote code execution. For the first time, our results systematically demonstrate the dangers of server-side gadgets and call for further research to solve the problem.

Cryptography and Security,Programming Languages

Jun Zhu,Jing Xie,Heather Richter Lipford,Bill Chu

DOI: https://doi.org/10.1016/j.jare.2013.11.006

IF: 12.822

2014-01-01

Journal of Advanced Research

Abstract:Many security incidents are caused by software developers’ failure to adhere to secure programming practices. Static analysis tools have been used to detect software vulnerabilities. However, their wide usage by developers is limited by the special training required to write rules customized to application-specific logic. Our approach is interactive static analysis, to integrate static analysis into Integrated Development Environment (IDE) and provide in-situ secure programming support to help developers prevent vulnerabilities during code construction. No additional training is required nor are there any assumptions on ways programs are built. Our work is motivated in part by the observation that many vulnerabilities are introduced due to failure to practice secure programming by knowledgeable developers. We implemented a prototype interactive static analysis tool as a plug-in for Java in Eclipse. Our technical evaluation of our prototype detected multiple zero-day vulnerabilities in a large open source project. Our evaluations also suggest that false positives may be limited to a very small class of use cases.

Xiaoyong Yan,Biao He,Wenbo Shen,Yu Ouyang,Kaihang Zhou,Xingjian Zhang,Xingyu Wang,Yukai Cao,Rui Chang

DOI: https://doi.org/10.1145/3650212.3680367

2024-01-01

Abstract:Data binding has been widely adopted by popular web frameworks due to its convenience of automatically binding web request parameters to the web program's properties. However, its improper implementation in web frameworks exposes sensitive properties, leading to data binding vulnerabilities, which can be exploited to launch severe attacks, such as the Spring4Shell remote code execution. Despite their criticalness, these issues are overlooked, and there is no systematic study addressing them. This paper presents the first automatic analysis of the data binding vulnerabilities in Java web frameworks. We develop an automatic Data bInding Vulnerabilities dEtectoR, named DIVER, to analyze data binding vulnerabilities. DIVER employs three new techniques: the Nested Property Graph-based Extraction to extract nested properties, the Bind-Site Instrumentation-based Identification to identify bindable nested properties, and the Property-aware Fuzzing to trigger and detect data binding vulnerabilities. We evaluated DIVER on two widely used Java web frameworks, Spring and Grails, and discovered 81 data binding vulnerabilities. These vulnerabilities can be exploited to launch remote code execution, arbitrary file read, and denial of service attacks. We have responsibly reported these vulnerabilities to the corresponding teams and helped to fix them. Three new CVEs with critical and high severity ratings have been assigned to us, including the infamous Spring4Shell.

Chen Fu,Barbara G. Ryder

DOI: https://doi.org/10.1109/icse.2007.35

2007-01-01

Abstract:Although it is common in large Java programs to rethrow exceptions, existing exception-flow analyses find only single exception-flow links, thus are unable to identify multiple-link exception propagation paths. This paper presents a new static analysis that, when combined with previous exception-flow analyses, computes chains of semantically-related exception-flow links, and thus reports entire exception propagation paths, instead of just discrete segments of them. These chains can be used 1) to show the error handling architecture of a system, 2) to assess the vulnerability of a single component and the whole system, 3) to support better testing of error recovery code, and 4) to facilitate the tracing of the root cause of a logged problem. Empirical findings and a case history for Tomcat show that a significant portion of the chains found in our benchmarks span multiple components, and thus are hard to find manually.

Eric Cornelissen,Mikhail Shcherbakov,Musard Balliu

2024-07-15

Abstract:Prototype pollution is a recent vulnerability that affects JavaScript code, leading to high impact attacks such as arbitrary code execution. The vulnerability is rooted in JavaScript's prototype-based inheritance, enabling attackers to inject arbitrary properties into an object's prototype at runtime. The impact of prototype pollution depends on the existence of otherwise benign pieces of code (gadgets), which inadvertently read from attacker-controlled properties to execute security-sensitive operations. While prior works primarily study gadgets in third-party libraries and client-side applications, gadgets in JavaScript runtime environments are arguably more impactful as they affect any application that executes on these runtimes. In this paper we design, implement, and evaluate a pipeline, GHunter, to systematically detect gadgets in V8-based JavaScript runtimes with prime focus on Node.js and Deno. GHunter supports a lightweight dynamic taint analysis to automatically identify gadget candidates which we validate manually to derive proof-of-concept exploits. We implement GHunter by modifying the V8 engine and the targeted runtimes along with features for facilitating manual validation. Driven by the test suites of Node.js and Deno, we use GHunter in a study of gadgets in these runtimes. We identified a total of 56 new gadgets in Node.js and 67 gadgets in Deno, pertaining to vulnerabilities such as arbitrary code execution (19), privilege escalation (31), path traversal (13), and more. Moreover, we systematize, for the first time, existing mitigations for prototype pollution and gadgets in terms of development guidelines. We collect a list of vulnerable applications and revisit the fixes through the lens of our guidelines. Through this exercise, we identified one high-severity CVE leading to remote code execution, which was due to incorrectly fixing a gadget.

Cryptography and Security

Midya Alqaradaghi,Tamás Kozsik

DOI: https://doi.org/10.1109/access.2024.3389955

IF: 3.9

2024-04-27

IEEE Access

Abstract:Various static code analysis tools have been designed to automatically detect software faults and security vulnerabilities. This paper aims to 1) conduct an empirical evaluation to assess the performance of five free and state-of-the-art static analysis tools in detecting Java security vulnerabilities using a well-defined and repeatable approach; 2) report on the vulnerabilities that are best and worst detected by static Java analyzers. We used the Juliet benchmark test suite in a controlled experiment to assess the effectiveness of five widely used Java static analysis tools. The vulnerabilities were successfully detected by one, two, or three tools. Only one vulnerability has been detected by four tools. The tools missed 13% of the Java vulnerability categories appearing in our experiment. More critically, none of the five tools could identify all the vulnerabilities in our experiment. We conclude that, despite recent improvements in their methodologies, current state-of-the-art static analysis tools are still ineffective for identifying the security vulnerabilities occurring in a small-scale, artificial test suite.

computer science, information systems,telecommunications,engineering, electrical & electronic

Quan Zhang,Yiwen Xu,Zijing Yin,Chijin Zhou,Yu Jiang

DOI: https://doi.org/10.14722/ndss.2024.24053

2024-01-01

Abstract:Java deserialization vulnerabilities have long been a grave security concern for Java applications.By injecting malicious objects with carefully crafted structures, attackers can reuse a series of existing methods during deserialization to achieve diverse attacks like remote code execution.To mitigate such attacks, developers are encouraged to implement policies restricting the object types that applications can deserialize.However, the design of precise policies requires expertise and significant manual effort, often leading to either the absence of policy or the implementation of inadequate ones.In this paper, we propose DESERIGUARD, a tool designed to assist developers in securing their applications seamlessly against deserialization attacks.It can automatically formulate a policy based on the application's semantics and then enforce it to restrict illegal deserialization attempts.First, DESERIGUARD utilizes dataflow analysis to construct a semantic-aware property tree, which records the potential structures of deserialized objects.Based on the tree, DESERIGUARD identifies the types of objects that can be safely deserialized and synthesizes an allowlist policy.Then, with the Java agent, DESERIGUARD can seamlessly enforce the policy during runtime to protect various deserialization procedures.In evaluation, DESERIGUARD successfully blocks all deserialization attacks on 12 real-world vulnerabilities.In addition, we compare DESERIGUARD's automatically synthesized policies with 109 developer-designed policies.The results demonstrate that DESERIGUARD effectively restricts 99.12% more classes.Meanwhile, we test the policy-enhanced applications with their unit tests and integration tests, which demonstrate that DESERIGUARD's policies will not interfere with applications' execution and induce a negligible time overhead of 2.17%.* Yu Jiang is the corresponding author.

Aman Sharma,Martin Wittlinger,Benoit Baudry,Martin Monperrus

2024-06-29

Abstract:Software supply chain attacks have become a significant threat as software development increasingly relies on contributions from multiple, often unverified sources. The code from unverified sources does not pose a threat until it is executed. Log4Shell is a recent example of a supply chain attack that processed a malicious input at runtime, leading to remote code execution. It exploited the dynamic class loading facilities of Java to compromise the runtime integrity of the application. Traditional safeguards can mitigate supply chain attacks at build time, but they have limitations in mitigating runtime threats posed by dynamically loaded malicious classes. This calls for a system that can detect these malicious classes and prevent their execution at runtime. This paper introduces SBOM.EXE, a proactive system designed to safeguard Java applications against such threats. SBOM.EXE constructs a comprehensive allowlist of permissible classes based on the complete software supply chain of the application. This allowlist is enforced at runtime, blocking any unrecognized or tampered classes from executing. We assess SBOM.EXE's effectiveness by mitigating 3 critical CVEs based on the above threat. We run our tool with 3 open-source Java applications and report that our tool is compatible with real-world applications with minimal performance overhead. Our findings demonstrate that SBOM.EXE can effectively maintain runtime integrity with minimal performance impact, offering a novel approach to fortifying Java applications against dynamic classloading attacks.

Cryptography and Security,Software Engineering

Jens Dietrich,Shawn Rasheed,Alexander Jordan,Tim White

DOI: https://doi.org/10.48550/arXiv.2306.05534

2023-10-10

Abstract:Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged for this purpose. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present a novel approach to detect vulnerable clones in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of a custom index. Starting with 29 vulnerabilities with assigned CVEs and proof-of-vulnerability projects, we retrieve over 53k potential vulnerable clones from Maven Central. After running our analysis on this set, we detect 727 confirmed vulnerable clones (86 if versions are aggregated) and synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss those exposures. At the time of submission those results have led to changes to the entries for six CVEs in the GitHub Security Advisory Database (GHSA) via accepted pull requests, with more pending.

Software Engineering

Federico Bono,Frank Reyes,Aman Sharma,Benoit Baudry,Martin Monperrus

2024-08-21

Abstract:We introduce Java-Class-Hijack, a novel software supply chain attack that enables an attacker to inject malicious code by crafting a class that shadows a legitimate class that is in the dependency tree. We describe the attack, provide a proof-of-concept demonstrating its feasibility, and replicate it in the German Corona-Warn-App server application. The proof-of-concept illustrates how a transitive dependency deep within the dependency tree can hijack a class from a direct dependency and entirely alter its behavior, posing a significant security risk to Java applications. The replication on the Corona-Warn-App demonstrates how compromising a small JSON validation library could result in a complete database takeover.

Cryptography and Security,Software Engineering

Joanna C. S. Santos,Mehdi Mirakhorli,Ali Shokri

DOI: https://doi.org/10.1145/3649851

2024-09-02

Abstract:Object serialization and deserialization are widely used for storing and preserving objects in files, memory, or database as well as for transporting them across machines, enabling remote interaction among processes and many more. This mechanism relies on reflection, a dynamic language that introduces serious challenges for static analyses. Current state-of-the-art call graph construction algorithms do not fully support object serialization/deserialization, i.e., they are unable to uncover the callback methods that are invoked when objects are serialized and deserialized. Since call graphs are a core data structure for multiple types of analysis (e.g., vulnerability detection), an appropriate analysis cannot be performed since the call graph does not capture hidden (vulnerable) paths that occur via callback methods. In this paper, we present Seneca, an approach for handling serialization with improved soundness in the context of call graph construction. Our approach relies on taint analysis and API modeling to construct sound call graphs. We evaluated our approach with respect to soundness, precision, performance, and usefulness in detecting untrusted object deserialization vulnerabilities. Our results show that Seneca can create sound call graphs with respect to serialization features. The resulting call graphs do not incur significant runtime overhead and were shown to be useful for performing identification of vulnerable paths caused by untrusted object deserialization.

Software Engineering

WU Rong-hui,WANG Ning,SUN Jian-hua,CHEN Hao,CHEN Zhi-wen

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.01.028

2013-01-01

Abstract:JVM run-time library can implement various security policies by calling the library functions of its own,one of the extremely important security policy requires that sensitive operations must be performed after access control permissions checks.Traditionally it relies manual analysis to ensure that the JVM run-time library satisfy this security policy.Java standard library,covering thousands of classes,tens of thousands of methods,is in rapid development and high-rate evolution.It is time-consuming and error-prone to analyze the security policy artificially.This paper presents a full automatic,efficient and rapid model detection method for evaluating that whether the JVM in compliance with this security policy.Scanning the byte code files of Java standard class library,generating control flow graph of the member methods,our method can work out method summary by taint analysis after defining detecting model and automatically detect the risky methods.

Sharmin Afrose,Ya Xiao,Sazzadur Rahaman,Barton P. Miller,Danfeng Yao,Barton Miller,Danfeng Daphne Yao

DOI: https://doi.org/10.1109/tse.2022.3154717

IF: 7.4

2022-01-01

IEEE Transactions on Software Engineering

Abstract:Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. To compare their accuracy and security guarantees, we develop two comprehensive benchmarks named CryptoAPI-Bench and ApacheCryptoAPI-Bench. CryptoAPI-Bench consists of 181 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false-positive rates. The ApacheCryptoAPI-Bench consists of 121 cryptographic cases from 10 Apache projects. We evaluate four tools, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks. We present their performance and comparative analysis. The ApacheCryptoAPI-Bench also examines the scalability of the tools. Our benchmarks are useful for advancing state-of-the-art solutions in the space of misuse detection.

engineering, electrical & electronic,computer science, software engineering