Bachelor Thesis BCLR-2022-33

BibliographyBerberich, Jens: Automatic Derivation of Rules for Static Security Analysis from Public Source Code Repositories.
University of Stuttgart, Faculty of Computer Science, Electrical Engineering, and Information Technology, Bachelor Thesis No. 33 (2022).
61 pages, english.

Insecure crypto API usages are commonly found in modern software. To prevent insecure usages, developers can use Static Application Security Testing tools which provide them easy access to insights on whether any given API usage is secure. However, the tools typically rely on manually created rules that encode constraints on how the APIs should be used. In this thesis, CryptoRuleMiner is presented as a novel approach that can generate usable crypto API rules by mining crypto API usages. CryptoRuleMiner uses the output of the MuDetect usage miner and transforms it into CrySL rules that can be used for conducting static analysis with CogniCrypt. A ruleset generated by CryptoRuleMiner using 100 popular GitHub projects is evaluated. Additionally, the performance of the ruleset is compared to other usage mining based misuse detectors.

Department(s)University of Stuttgart, Institute of Software Technology, Empirical Software Engineering
Superviser(s)Wagner, Prof. Stefan; Franco da Silva, Dr. Ana Christina; Haug, Markus
Entry dateOctober 25, 2022
   Publ. Computer Science