Helping johnny encrypt: Toward semantic interfaces for cryptographic frameworks

Conference Paper

Several mature cryptographic frameworks are available, and they have been utilized for building complex applications. However, developers often use these frameworks incorrectly and introduce security vulnerabilities. This is because current cryptographic frameworks Erode abstraction boundaries, as they do not encapsulate all the framework-specific knowledge and expect developers to understand security attacks and defenses. Starting from the documented misuse cases of cryptographic APIs, we infer five developer needs and we show that a good API design would address these needs only partially. Building on this observation, we propose APIs that are semantically meaningful for developers, we show how these interfaces can be implemented consistently on top of existing frameworks using novel and known design patterns, and we propose build management hooks for isolating security workarounds needed during the development and test phases. Through two case studies, we show that our APIs can be utilized to implement non-Trivial client-server protocols and that they provide a better separation of concerns than existing frameworks. We also discuss the challenges and potential approaches for evaluating our solution. Our semantic interfaces represent a first step toward preventing misuses of cryptographic APIs.

Full Text

Duke Authors

Cited Authors

  • Indela, S; Kulkarni, M; Nayak, K; Dumitras, T

Published Date

  • October 20, 2016

Published In

  • Onward! 2016 Proceedings of the 2016 Acm International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software

Start / End Page

  • 180 - 196

International Standard Book Number 13 (ISBN-13)

  • 9781450340762

Digital Object Identifier (DOI)

  • 10.1145/2986012.2986024

Citation Source

  • Scopus