Libraries offer reusable functionality through Application Programming Interfaces (APIs) with usage constraints such as call conditions or orders. Constraint violations, i.e. API misuses, commonly lead to bugs and security issues. Although researchers have developed various API misuse detectors in the past few decades, recent studies show that API misuse is prevalent in real-world projects, especially for secure socket layer (SSL) certificate validation, which is completely broken in many security-critical applications and libraries. In this paper, we introduce SSLDoc to effectively detect API misuse bugs, specifically for SSL API libraries. The key insight behind SSLDoc is a constraint-directed static analysis technique powered by a domain-specific language (DSL) for specifying API usage constraints. Through studying real-world API misuse bugs, we propose ISpec DSL, which covers majority types of API usage constraints and enables simple but precise specification. Furthermore, we design and implement SSLDoc to automatically parse ISpec into checking targets and employ a static analysis engine to identify potential API misuses and prune false positives with rich semantics. We have instantiated SSLDoc for OpenSSL APIs and applied it to large-scale open-source programs. SSLDoc found 45 previously unknown security-sensitive bugs in OpenSSL implementation and applications in Ubuntu. Up to now, 35 have been confirmed by the corresponding development communities and 27 have been fixed in master branch.

Keywords:

References

1. S. Amann, S. Nadi, H. A. Nguyen, T. N. Nguyen and M. Mezini , Mubench: A benchmark for api-misuse detectors, in Proc. 13th Int. Conf. Mining Software Repositories, 2016, pp. 464–467. Crossref, Google Scholar
2. T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, RFC Vol. 5246, 2008. Google Scholar
3. A. Freier, P. Karlton and P. Kocher, The Secure Sockets Layer (SSL) Protocol Version 3.0, RFC Vol. 6101, 2011. Google Scholar
4. Openssl: Cryptography and ssl/tls toolkit 2018, https://github.com/openssl/openssl. Google Scholar
5. Gnutls: A secure communications library implementing the ssl, tls and dtls protocols and technologies around them 2018, https://gitlab.com/gnutls/gnutls/. Google Scholar
6. Cve-2016-2182 2016, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182. Google Scholar
7. Cve-2016-2113 2016, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2113. Google Scholar
8. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh and V. Shmatikov , The most dangerous code in the world: validating SSL certificates in non-browser software, Conf. Communications Security, 2012, pp. 38–49. Crossref, Google Scholar
9. J. Clark and P. C. van Oorschot , Sok: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements, in IEEE Symp. Security and Privacy, 2013, pp. 511–525. Crossref, Google Scholar
10. C. Brubaker, S. Jana, B. Ray, S. Khurshid and V. Shmatikov , Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations, in IEEE Symp. Security and Privacy, 2014, pp. 114–129. Crossref, Google Scholar
11. A. Delaitre, B. Stivalet, E. Fong and V. Okun , Evaluating bug finders - test and measurement of static code analyzers, Int. Workshop on Complex Fanlts and Failures in Large Software, 2015, pp. 14–20. Crossref, Google Scholar
12. B. He, V. Rastogi, Y. Cao, Y. Chen, V. N. Venkatakrishnan, R. Yang and Z. Zhang , Vetting SSL usage in applications with SSLINT, IEEE Symp. Security and Privacy, 2015, pp. 519–534. Crossref, Google Scholar
13. I. Yun, C. Min, X. Si, Y. Jang, T. Kim and M. Naik , Apisan: Sanitizing API usages through semantic cross-checking, in USENIX Security 16, 2016, pp. 363–378. Google Scholar
14. D. A. Ramos and D. R. Engler , Under-constrained symbolic execution: Correctness checking for real code, 24th USENIX Security Symp. 2015, pp. 49–64. Google Scholar
15. H. A. Nguyen, R. Dyer, T. N. Nguyen and H. Rajan , Mining preconditions of apis in large-scale code corpus, in Proc. 22nd ACM SIGSOFT Int. Symp. Foundations of Software Engineering, 2014, pp. 166–177. Crossref, Google Scholar
16. Cve-2015-0208 (2018), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0208. Google Scholar
17. Y. J. Kang, B. Ray and S. Jana , Apex: Automated inference of error specifications for C apis, in Proc. 31st IEEE/ACM Int. Conf. Automated Software Engineering, 2016, pp. 472–482. Crossref, Google Scholar
18. B. Cheng and W. W. Hwu , Modular interprocedural pointer analysis using access paths: Design, implementation, and evaluation, in Proc. ACM SIGPLAN 2000 Conf. Programming Language Design and Implementation, 2000, pp. 57–69. Crossref, Google Scholar
19. A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Gros, A. Kamsky, S. McPeak and D. R. Engler , A few billion lines of code later: Using static analysis to find bugs in the real world, Commun. ACM 53(2) (2010) 66–75. Crossref, Web of Science, Google Scholar
20. The llvm compiler infrastructure (2018), http://releases.llvm.org/3.9.0/docs/ReleaseNotes.html. Google Scholar
21. Javacpp: Efficient access to native c++ inside java (2018), https://github.com/bytedeco/javacpp. Google Scholar
22. Yaml: A human friendly data serialization standard for all programming languages (2018), http://yaml.org/. Google Scholar