Browse Source

buncha stuff

master
Nicolas Hafner 2 years ago
parent
commit
673d9464bf
3 changed files with 101 additions and 18 deletions
  1. BIN
      dag-clustering.png
  2. BIN
      presentation.pdf
  3. +101
    -18
      presentation.tex

BIN
dag-clustering.png View File

Before After
Width: 1306  |  Height: 1350  |  Size: 163 KiB

BIN
presentation.pdf View File


+ 101
- 18
presentation.tex View File

@ -47,6 +47,8 @@
\vskip 0.3cm {\Large #1} \vskip 0.2cm %
}
\renewcommand{\b}[1]{\textbf{#1}}
\begin{document}
\begin{frame}
\begin{center}
@ -54,6 +56,7 @@
{\LARGE Inferring Crypto API Rules \\ from Code Changes}\\
\vspace{0.5cm}
{ ETH Software Engineering Seminar 2018 }
% FIXME: names
\end{center}
\end{frame}
@ -63,9 +66,13 @@
\item Security APIs are difficult to use
\item The APIs change and evolve
\item Old techniques become vulnerable
% FIXME: improvements on tools
% current tools not suitable
\end{itemize}
\end{frame}
% FIXME: challenges
\begin{frame}
\title{The Paper's Approach}
\begin{itemize}
@ -84,6 +91,8 @@
}
\end{frame}
% FIXME: static analysis overview
\begin{frame}[fragile]
\title{Static Analysis}
\begin{javacode}
@ -152,27 +161,16 @@ class AESCipher{
\end{itemize}
\end{frame}
\begin{frame}
\title{Change Filtering}
\begin{itemize}
\item Remove the diff if there are:
\begin{enumerate}
\item no changes \textcolor{gray}{the diff is irrelevant to our API}
\item no removals \textcolor{gray}{introductions of APIs are not interesting}
\item no additions \textcolor{gray}{usage removal alone is not interesting}
\end{enumerate}
relevant to our API, or if
\begin{enumerate}\setcounter{enumi}{3}
\item the diff is a duplicate.
\end{enumerate}
\end{itemize}
\end{frame}
\begin{frame}
\title{Change Clustering}
\makebox[\linewidth][c]{
\includegraphics[width=0.6\pagewidth]{dag-clustering.png}
}
% FIXME: add note for derived rule
\end{frame}
% FIXME: rule application
\begin{frame}
\title{Data Set}
\begin{itemize}
@ -183,16 +181,85 @@ class AESCipher{
\end{itemize}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\end{itemize}
\vspace{\fill}
{\small
\begin{tabular}{lrrrrr}
\b{Target API Class} & \b{Usage Changes} & \multicolumn{4}{c}{\b{After Filter}} \\
&& Same & Add & Rem & Dup \\
\hline
Cipher & 15829 & 419 & 204 & 116 & 75 \\
IVParameterSpec & 4967 & 58 & 24 & 12 & 11 \\
MessageDigest & 8277 & 116 & 78 & 27 & 17 \\
SecretKeySpec & 15543 & 226 & 120 & 55 & 45 \\
SecureRandom & 26008 & 309 & 131 & 26 & 21 \\
PBEKeySpec & 1549 & 29 & 21 & 17 & 17 \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item Seven new security rules derived
\end{itemize}
\vspace{\fill}
{\small
\begin{tabular}{llrrrrrr}
\b{Rule} & \b{Change} & \b{Total} & \multicolumn{4}{c}{\b{Filtered Changes}} & \b{Remain.} \\
&&& Same & Add & Rem & Dup & \\
\hline
CL1 & fix & 8 & 0 & 0 & 0 & 1 & 7 \\
& bug & 1 & 0 & 0 & 0 & 0 & 1 \\
& none & 15820 & 15410 & 215 & 88 & 40 & 67 \\
CL2 & fix & 1 & 0 & 0 & 0 & 0 & 1 \\
& bugs & 0 & 0 & 0 & 0 & 0 & 0 \\
& none & 4966 & 4909 & 34 & 12 & 1 & 10 \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item 13 security rules derived, 7 of them new
\end{itemize}
\vspace{\fill}
{\scriptsize
\begin{tabular}{ll}
\b{R1} & Use SHA-256 instead of SHA-1 \\
R2 & Do not use password-based encryption with iterations count less than 1000 \\
\b{R3} & SecureRandom should be used with SHA-1PRNG \\
\b{R4} & SecureRandom with getInstanceStrong should be avoided \\
\b{R5} & Use the BouncyCastle provider for Cipher \\
\b{R6} & The underlying PRNG is vulnerable on Android v16-18 \\
R7 & Do not use Cipher in AES/ECB mode \\
\b{R8} & Do not use Cipher with DES mode \\
R9 & IvParameterSpec should not be initialized with a static byte array \\
R10 & SecretKeySpec should not be static \\
R11 & Do not use password-based encryption with static salt \\
R12 & Do not use SecureRandom static seed \\
\b{R13} & Missing integrity check after symmetric key exchange \\
\end{tabular}}
\end{frame}
\begin{frame}
\title{Findings}
\begin{itemize}
\item Filters effectively remove irrelevant changes
\item Semantic changes are not affected
\item 13 security rules derived, 7 of them new
\item Vulnerabilities found in 57\% of analysed projects
\end{itemize}
\end{frame}
% FIXME: opinion
\begin{frame}
\title{Conclusion}
\begin{itemize}
@ -200,6 +267,22 @@ class AESCipher{
\item In a sample case, 13 security rules were derived
\item Of the analysed projects, 57\% were vulnerable to at least one of the derived rules
\end{itemize}
\vspace{\fill}
\makebox[\linewidth][c]{
\scriptsize
\url{http://diffcode.ethz.ch/}
}
\makebox[\linewidth][c]{
\scriptsize
\url{https://files.sri.inf.ethz.ch/website/papers/diffcode-pldi2018.pdf}
}
\end{frame}
\begin{frame}
\end{frame}
\begin{frame}
Todo: backup slides with more detail
\end{frame}
\end{document}

Loading…
Cancel
Save