SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions

Danfeng (Daphne) Yao

Abstract

High-level language platforms provide APIs to aid developers in easily integrating security-relevant features in their code. Prior research shows that improper use of these APIs is a major source of insecurity in various application domains. Automatic code screening holds lots of potential to enable secure coding. However, building domain-specific security analysis tools requires both application domain and program analysis expertise. Interestingly, most of the prior works in developing domain-specific security analysis tools leverage some form of data flow analysis in the core. We leverage this insight to build a specification language named SPANL for domain-specific security screening. The expressiveness analysis shows that a rule requiring any composition of dataflow analysis can be modeled in our language. Our evaluation on four cryptographic API misuse problems shows that our prototype implementation of SPANL does not introduce any imprecision due to the expressiveness of the language( SPANL stands for Security sPecificAtioN Language.).

Sazzadur Rahaman, Miles Frantz, Barton P. Miller, Danfeng (Daphne) Yao: SpanL: Creating Algorithms for Automatic API Misuse Detection with Program Analysis Compositions. ACNS Workshops 2023: 515-529