[{"date_created":"2024-03-20T09:22:27Z","place":"Bonn","keyword":["API misuses  API usage constraints","classification framework","API misuse detection","static analysis"],"type":"book_chapter","department":[{"_id":"76"}],"publication":"Software Engineering 2023","citation":{"short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: Software Engineering 2023, Gesellschaft für Informatik e.V., Bonn, 2023, pp. 105–106.","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” In <i>Software Engineering 2023</i>, 105–106. Bonn: Gesellschaft für Informatik e.V., 2023.","apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., &#38; Bodden, E. (2023). Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In <i>Software Engineering 2023</i> (pp. 105–106). Gesellschaft für Informatik e.V.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification,” in <i>Software Engineering 2023</i>, Bonn: Gesellschaft für Informatik e.V., 2023, pp. 105–106.","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. Introducing FUM: A Framework for API Usage Constraint and Misuse Classification. In: <i>Software Engineering 2023</i>. Gesellschaft für Informatik e.V.; 2023:105–106.","bibtex":"@inbook{Schlichtig_Sassalla_Narasimhan_Bodden_2023, place={Bonn}, title={Introducing FUM: A Framework for API Usage Constraint and Misuse Classification}, booktitle={Software Engineering 2023}, publisher={Gesellschaft für Informatik e.V.}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2023}, pages={105–106} }","mla":"Schlichtig, Michael, et al. “Introducing FUM: A Framework for API Usage Constraint and Misuse Classification.” <i>Software Engineering 2023</i>, Gesellschaft für Informatik e.V., 2023, pp. 105–106."},"abstract":[{"text":"Application Programming Interfaces (APIs) are the primary mechanism developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and how they are caused, is important to prevent them, eg, with API misuse detectors. However, definitions for API misuses and related terms in literature vary. This paper presents a systematic literature review to clarify these terms and introduces FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To address this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detector’s capabilities, we performed a case study on the state-of the-art misuse detection tool CogniCrypt. The study showed that FUM can be used to properly assess CogniCrypt’s capabilities, identify weaknesses and assist in deriving mitigations and improvements.","lang":"eng"}],"page":"105–106","main_file_link":[{"url":"https://dl.gi.de/items/c4825557-cf3d-4038-933a-d8f95fd324a2"}],"_id":"52660","publisher":"Gesellschaft für Informatik e.V.","language":[{"iso":"eng"}],"user_id":"32312","title":"Introducing FUM: A Framework for API Usage Constraint and Misuse Classification","status":"public","year":"2023","publication_identifier":{"isbn":["978-3-88579-726-5"]},"author":[{"id":"32312","full_name":"Schlichtig, Michael","last_name":"Schlichtig","first_name":"Michael","orcid":"0000-0001-6600-6171"},{"last_name":"Sassalla","first_name":"Steffen","full_name":"Sassalla, Steffen"},{"last_name":"Narasimhan","first_name":"Krishna","full_name":"Narasimhan, Krishna"},{"id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric","full_name":"Bodden, Eric"}],"date_updated":"2024-03-20T09:25:46Z"},{"language":[{"iso":"eng"}],"_id":"32409","user_id":"32312","doi":"10.48550/ARXIV.2204.06447","status":"public","title":"CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite","year":"2022","author":[{"id":"32312","first_name":"Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","full_name":"Schlichtig, Michael"},{"last_name":"Wickert","first_name":"Anna-Katharina","full_name":"Wickert, Anna-Katharina"},{"first_name":"Stefan","last_name":"Krüger","full_name":"Krüger, Stefan"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","first_name":"Eric","orcid":"0000-0003-3470-3647"},{"first_name":"Mira","last_name":"Mezini","full_name":"Mezini, Mira"}],"date_updated":"2022-07-25T10:23:44Z","date_created":"2022-07-25T07:56:59Z","type":"misc","keyword":["cryptography","benchmark","API misuse","static analysis"],"department":[{"_id":"76"}],"citation":{"bibtex":"@book{Schlichtig_Wickert_Krüger_Bodden_Mezini_2022, title={CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite}, DOI={<a href=\"https://doi.org/10.48550/ARXIV.2204.06447\">10.48550/ARXIV.2204.06447</a>}, author={Schlichtig, Michael and Wickert, Anna-Katharina and Krüger, Stefan and Bodden, Eric and Mezini, Mira}, year={2022} }","short":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, M. Mezini, CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite, 2022.","ama":"Schlichtig M, Wickert A-K, Krüger S, Bodden E, Mezini M. <i>CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite</i>.; 2022. doi:<a href=\"https://doi.org/10.48550/ARXIV.2204.06447\">10.48550/ARXIV.2204.06447</a>","chicago":"Schlichtig, Michael, Anna-Katharina Wickert, Stefan Krüger, Eric Bodden, and Mira Mezini. <i>CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite</i>, 2022. <a href=\"https://doi.org/10.48550/ARXIV.2204.06447\">https://doi.org/10.48550/ARXIV.2204.06447</a>.","ieee":"M. Schlichtig, A.-K. Wickert, S. Krüger, E. Bodden, and M. Mezini, <i>CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite</i>. 2022.","apa":"Schlichtig, M., Wickert, A.-K., Krüger, S., Bodden, E., &#38; Mezini, M. (2022). <i>CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite</i>. <a href=\"https://doi.org/10.48550/ARXIV.2204.06447\">https://doi.org/10.48550/ARXIV.2204.06447</a>","mla":"Schlichtig, Michael, et al. <i>CamBench -- Cryptographic API Misuse Detection Tool Benchmark Suite</i>. 2022, doi:<a href=\"https://doi.org/10.48550/ARXIV.2204.06447\">10.48550/ARXIV.2204.06447</a>."},"abstract":[{"lang":"eng","text":"Context: Cryptographic APIs are often misused in real-world applications. Therefore, many cryptographic API misuse detection tools have been introduced. However, there exists no established reference benchmark for a fair and comprehensive comparison and evaluation of these tools. While there are benchmarks, they often only address a subset of the domain or were only used to evaluate a subset of existing misuse detection tools. Objective: To fairly compare cryptographic API misuse detection tools and to drive future development in this domain, we will devise such a benchmark. Openness and transparency in the generation process are key factors to fairly generate and establish the needed benchmark. Method: We propose an approach where we derive the benchmark generation methodology from the literature which consists of general best practices in benchmarking and domain-specific benchmark generation. A part of this methodology is transparency and openness of the generation process, which is achieved by pre-registering this work. Based on our methodology we design CamBench, a fair \"Cryptographic API Misuse Detection Tool Benchmark Suite\". We will implement the first version of CamBench limiting the domain to Java, the JCA, and static analyses. Finally, we will use CamBench to compare current misuse detection tools and compare CamBench to related benchmarks of its domain."}],"related_material":{"link":[{"url":"https://arxiv.org/abs/2204.06447","relation":"confirmation"}]}},{"page":"673 - 684","language":[{"iso":"eng"}],"_id":"31133","doi":"https://doi.org/10.1109/SANER53432.2022.00085","user_id":"32312","title":"FUM - A Framework for API Usage constraint and Misuse Classification","status":"public","year":"2022","author":[{"full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","first_name":"Michael","last_name":"Schlichtig","id":"32312"},{"first_name":"Steffen","last_name":"Sassalla","full_name":"Sassalla, Steffen"},{"first_name":"Krishna","last_name":"Narasimhan","full_name":"Narasimhan, Krishna"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"date_updated":"2022-07-26T11:42:30Z","date_created":"2022-05-09T13:04:10Z","type":"conference","keyword":["API misuses","API usage constraints","classification framework","API misuse detection","static analysis"],"department":[{"_id":"76"}],"publication":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","citation":{"apa":"Schlichtig, M., Sassalla, S., Narasimhan, K., &#38; Bodden, E. (2022). FUM - A Framework for API Usage constraint and Misuse Classification. <i>2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 673–684. <a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>","mla":"Schlichtig, Michael, et al. “FUM - A Framework for API Usage Constraint and Misuse Classification.” <i>2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 2022, pp. 673–84, doi:<a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>.","ieee":"M. Schlichtig, S. Sassalla, K. Narasimhan, and E. Bodden, “FUM - A Framework for API Usage constraint and Misuse Classification,” in <i>2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 2022, pp. 673–684, doi: <a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>.","ama":"Schlichtig M, Sassalla S, Narasimhan K, Bodden E. FUM - A Framework for API Usage constraint and Misuse Classification. In: <i>2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>. ; 2022:673-684. doi:<a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>","short":"M. Schlichtig, S. Sassalla, K. Narasimhan, E. Bodden, in: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2022, pp. 673–684.","chicago":"Schlichtig, Michael, Steffen Sassalla, Krishna Narasimhan, and Eric Bodden. “FUM - A Framework for API Usage Constraint and Misuse Classification.” In <i>2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)</i>, 673–84, 2022. <a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>.","bibtex":"@inproceedings{Schlichtig_Sassalla_Narasimhan_Bodden_2022, title={FUM - A Framework for API Usage constraint and Misuse Classification}, DOI={<a href=\"https://doi.org/10.1109/SANER53432.2022.00085\">https://doi.org/10.1109/SANER53432.2022.00085</a>}, booktitle={2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)}, author={Schlichtig, Michael and Sassalla, Steffen and Narasimhan, Krishna and Bodden, Eric}, year={2022}, pages={673–684} }"},"abstract":[{"text":"Application Programming Interfaces (APIs) are the primary mechanism that developers use to obtain access to third-party algorithms and services. Unfortunately, APIs can be misused, which can have catastrophic consequences, especially if the APIs provide security-critical functionalities like cryptography. Understanding what API misuses are, and for what reasons they are caused, is important to prevent them, e.g., with API misuse detectors. However, definitions and nominations for API misuses and related terms in literature vary and are diverse. This paper addresses the problem of scattered knowledge and definitions of API misuses by presenting a systematic literature review on the subject and introducing FUM, a novel Framework for API Usage constraint and Misuse classification. The literature review revealed that API misuses are violations of API usage constraints. To capture this, we provide unified definitions and use them to derive FUM. To assess the extent to which FUM aids in determining and guiding the improvement of an API misuses detectors' capabilities, we performed a case study on CogniCrypt, a state-of-the-art misuse detector for cryptographic APIs. The study showed that FUM can be used to properly assess CogniCrypt's capabilities, identify weaknesses and assist in deriving mitigations and improvements. And it appears that also more generally FUM can aid the development and improvement of misuse detection tools.","lang":"eng"}],"quality_controlled":"1","related_material":{"link":[{"relation":"confirmation","url":"https://ieeexplore.ieee.org/document/9825763"}]}}]