Author ORCID Identifier
16953
Advisor Information
Myoungkyu Song
Location
MBSC 308
Presentation Type
Oral Presentation
Start Date
6-3-2020 12:45 PM
End Date
6-3-2020 2:00 PM
Abstract
Cryptography is often a critical component in secure software systems. Cryptographic primitive misuses often cause several vulnerability issues. To secure data and communications in applications, developers often rely on cryptographic algorithms and APIs which provide confidentiality, integrity, and authentication based on solid mathematical foundations. While many advanced crypto algorithms are available to developers, the correct usage of these APIs is challenging. Turning mathematical equations in crypto algorithms into an application is a difficult task. A mistake in cryptographic implementations can subvert the security of the entire system. In this research, we present an automated approach for Finding and Repairing Bugs based on security patterns (FIREBUGS) to repair crypto API misuses causing security vulnerabilities. To locate and fix security bugs, we apply security patterns that are reusable solutions comprising large amounts of software design experience in many different situations. We evaluated FIREBUGS using two methods. First, we applied FIREBUGS to 229 mobile applications to estimate how accurately FIREBUGS detected crypto API misuses in the security implementations from these real open-source projects. Second, we conducted a user study at Mutual of Omaha Insurance Company, where professionals engineers used FIREBUGS to detect and repair crypto misuses identified from open-source projects. This attests to the fact that FIREBUGS can be scaled to industry settings and be easily adopted by professional engineers.
Files over 3MB may be slow to open. For best results, right-click and select "save as..."
Included in
Automated Tool Support - Repairing Security Bugs in Mobile Applications
MBSC 308
Cryptography is often a critical component in secure software systems. Cryptographic primitive misuses often cause several vulnerability issues. To secure data and communications in applications, developers often rely on cryptographic algorithms and APIs which provide confidentiality, integrity, and authentication based on solid mathematical foundations. While many advanced crypto algorithms are available to developers, the correct usage of these APIs is challenging. Turning mathematical equations in crypto algorithms into an application is a difficult task. A mistake in cryptographic implementations can subvert the security of the entire system. In this research, we present an automated approach for Finding and Repairing Bugs based on security patterns (FIREBUGS) to repair crypto API misuses causing security vulnerabilities. To locate and fix security bugs, we apply security patterns that are reusable solutions comprising large amounts of software design experience in many different situations. We evaluated FIREBUGS using two methods. First, we applied FIREBUGS to 229 mobile applications to estimate how accurately FIREBUGS detected crypto API misuses in the security implementations from these real open-source projects. Second, we conducted a user study at Mutual of Omaha Insurance Company, where professionals engineers used FIREBUGS to detect and repair crypto misuses identified from open-source projects. This attests to the fact that FIREBUGS can be scaled to industry settings and be easily adopted by professional engineers.
Additional Information (Optional)
https://dblp.uni-trier.de/pers/hd/s/Singleton:Larry